Decrypt GSM SMS

On my previous article we saw how to sniff GSM Network and capture downstream packets. To better understand all parameters and technology terminology read my article GSM Networks for Pentesters.

Before Cracking

Before starting the decryption process we need a few things ready.

  • Our CFILE with all data captured
  • KC Key – grabbed from our SIM Card
  • TMSI
  • Rainbow tables to Crack A1 encryption
  • All tools working with correct versions

Limitations

  • You CAN’T decode SMS LIVE – 😉

Understand our Tool

In order to decrypt SMS data is necessary to use gnuradiotool grgsm_decode, read my article about how to install GNU Radio.

grgsm_decode -h
Usage: grgsm_decode: [options]

The gsm_decode tools has a lot of options divided by 4 categories

Basic Options

N_MODE, --mode=CHAN_MODE
                        Channel mode. Valid options are 'BCCH' (Non-combined
                        C0), 'BCCH_SDCCH4'(Combined C0), 'SDCCH8' (Stand-alone
                        control channel) 'TCHF' (Traffic Channel, Full rate),
                        'TCHH' (Traffic Channel, Half rate)
  -t TIMESLOT, --timeslot=TIMESLOT
                        Timeslot to decode [default=0]
  -u SUBSLOT, --subslot=SUBSLOT
                        Subslot to decode. Use in combination with channel
                        type BCCH_SDCCH4 and SDCCH8
  -b BURST_FILE, --burst-file=BURST_FILE
                        Input file (bursts)
  -c CFILE, --cfile=CFILE
                        Input file (cfile)
  -v, --verbose         If set, the decoded messages (with frame number and
                        count) are printed to stdout
  -p, --print-bursts    If set, the raw bursts (with frame number and count)
                        are printed to stdout

Cfile Options

Cfile Options:
    Options for decoding cfile input.

    -f FC, --fc=FC      Frequency of cfile capture
    -a ARFCN, --arfcn=ARFCN
                        Set ARFCN instead of frequency (for PCS1900 add 0x8000
                        (2**15) to the ARFCN number).
    -s SAMP_RATE, --samp-rate=SAMP_RATE
                        Sample rate of cfile capture [default=1.0M]
    --ppm=PPM           Set frequency offset correction [default=0

Decryption Options

Decryption Options:
    Options for setting the A5 decryption parameters.

    -e A5, --a5=A5      A5 version [default=1]. A5 versions 1 - 3 supported
    -k KC, --kc=KC      A5 session key Kc. Valid formats are
                        '0x12,0x34,0x56,0x78,0x90,0xAB,0xCD,0xEF' and
                        '1234567890ABCDEF'

TCH Options

 TCH Options:
    Options for setting Traffic channel decoding parameters.

    -d SPEECH_CODEC, --speech-codec=SPEECH_CODEC
                        TCH-F speech codec [default=FR]. Valid options are FR,
                        EFR, AMR12.2, AMR10.2, AMR7.95, AMR7.4, AMR6.7,
                        AMR5.9, AMR5.15, AMR4.75
    -o SPEECH_OUTPUT_FILE, --output-tch=SPEECH_OUTPUT_FILE
                        tch/f speech output file [default=/tmp/speech.au.gsm].
    --sub-channel=TCH_H_CHANNEL
                        TCH/H sub-channel. [default=0]
    --multi-rate=MULTI_RATE
                        The MultiRate configuration element from the
                        Assignment Command message. Example: 28111a40. See
                        3GPP TS 44.018 - 10.5.2.21aa MultiRate configuration
    --voice-boundary    Enable voice boundary detection for traffic channels.
                        This can help reduce noice in the output.

How to remove encryption from text messages?

Decrypt SMS

https://radio-hacking.popdocs.net

Categorized in:

Tagged in: